Email errors, rogue staff: How businesses lose control of client data

Talking points

The data breach scheme applies to organisations covered by the Privacy Act.

In the December quarter, 47 per cent of breaches involved financial details.

Human error accounts for around one third of all compromised information.

From losing hard drives to emailing the wrong person, a number of simple mistakes have forced Australian businesses to confess to the information commissioner they have put the data of thousands of customers at risk.

Cybersecurity experts say small businesses can't afford to ignore information about data security risks and still have work to do when it comes to educating their staff about best practice.

Twelve months into Australia's notifiable data breach scheme, businesses have an outline of threats to their consumers' data. Credit:Olive Berg

One year on from the introduction of the country's notifiable data breach scheme, the office of the information commissioner has received 812 reports of cases where consumer data has been lost, stolen or accidentally disseminated to the wrong people.

The scheme requires all organisations covered by the Privacy Act, including businesses with turnover of $3 million or more, to log a report when they have had a data breach likely to result in serious harm.

Advertisement

The latest quarterly statistics from the program, released this week, help paint a picture of how and where companies have failed to protect information.

Across the past four quarters, malicious attacks have been the number one source of compromised data, followed by human error and then system faults. In the three months to December 2018, 64 per cent of breaches came from external attacks, 33 per cent from staff mistakes, and just 3 per cent from system faults.

Digging deeper, the numbers suggest that some of the most simple actions have lead to customer data being compromised.

Over the past three quarters, there were 34 reports from businesses that customers could potentially be at risk because someone had simply lost physical paperwork or the hard drive device containing that information.

There were 74 cases over the nine months to December where someone in a business "emailed the wrong person" and breached customers' privacy.

Loading

Cybersecurity expert Dr Nick Patterson says the scope of the data shows Australian businesses still need to conduct serious reviews of their security practices.

"We ultimately want to have more education and awareness on cyber security in our workplaces for staff and then bolster that with the right software and hardware to detect and prevent," the Deakin University academic says.

Human error is still a significant source of breaches and Dr Patterson says lost or stolen data is common.

"When it comes to losing hard drives, think how easy it can be to either leave a USB behind after a meeting - or I have heard stories of criminals breaking into cars to steal laptops," he says.

Insider threats

Malicious attacks are still the major contributing factor to private data being compromised, and threats can come from within one's business.

There have been 307 reports of cyber incidents causing a breach in the past nine months.

"Rogue employees" are also a threat, with 41 reports of staff members' actions causing customer data to be stolen or disseminated, while there were 73 cases of paperwork and data being stolen from a business.

Australian information commissioner Angelene Falk said in a statement this week that the responsibility was with businesses to educate their staff about how data leaks.

"Employees need to be made aware of the common tricks used by cyber criminals to steal usernames and passwords," she said.

Even with good cybersecurity practices though, consumer data could be at risk, Patterson says.

Seventeen percent of cyber attacks last quarter were caused by ransomware or malware attacks. Businesses should be tracking these threats, but sometimes not even the experts know about these ploys until they are underway.

"The tricky part with malware is that we can use software which is good at detecting current ‘strains’ but what about those which are either unknown as yet or the identifying signature just is hard to figure out," Patterson says.